logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-52573 ios-simulator-mcp

Package

Manager: npm
Name: ios-simulator-mcp
Vulnerable Version: >=0 <1.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00122 pctl0.3207

Details

iOS Simulator MCP Command Injection allowed via exec API # Command Injection in MCP Server The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. ## Vulnerable tool The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. Vulnerable line of code: https://github.com/joshuayoes/ios-simulator-mcp/blob/main/src/index.ts#L166-L207 ```js server.tool( "ui_tap", "Tap on the screen in the iOS Simulator", { duration: z.string().optional().describe("Press duration"), udid: z .string() .optional() .describe("Udid of target, can also be set with the IDB_UDID env var"), x: z.number().describe("The x-coordinate"), y: z.number().describe("The x-coordinate"), }, async ({ duration, udid, x, y }) => { try { const actualUdid = await getBootedDeviceId(udid); const durationArg = duration ? `--duration ${duration}` : ""; const { stderr } = await execAsync( `idb ui tap --udid ${actualUdid} ${durationArg} ${x} ${y} --json` ); ``` ## Exploitation When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Reference example from prior security research on this topic: ![Cursor defined MCP Server vulnerable to command injection](https://res.cloudinary.com/snyk/image/upload/f_auto,w_2560,q_auto/v1747081395/Screenshot_2025-05-07_at_9.22.11_AM_d76kvm.png) ## Impact User initiated and remote command injection on a running MCP Server. ## References and Prior work 1. [Exploiting MCP Servers Vulnerable to Command Injection](https://snyk.io/articles/exploiting-mcp-servers-vulnerable-to-command-injection/) 2. Liran's [Node.js Secure Coding: Defending Against Command Injection Vulnerabilities](https://www.nodejs-security.com/book/command-injection) ## Disclosed by [Liran Tal](https://lirantal.com)

Metadata

Created: 2025-06-26T21:20:37Z
Modified: 2025-06-26T21:20:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6f6r-m9pv-67jw/GHSA-6f6r-m9pv-67jw.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-6f6r-m9pv-67jw
Finding: F404
Auto approve: 1